Target IP: 10.10.166.70
Scanning the machine shows there are three TCP ports open on the target machine. There are HTTP applications on port 80 and 65524. There is also a SSH application on port 6498.
Port 80: HTTP
Browsing to this port displays the default nginx application webpage, as shown above. Viewing the source-code of this page does not contain anything useful.
Doing a directory search with the command gobuster dir -u http://10.10.166.70/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt against this port displays the interesting /hidden directory above. I browsed to /robots.txt but I did not find anything useful.
Browsing to /hidden displays the webpage above. The source-code of this webpage does not contain anything useful.
Doing a directory search with the command gobuster dir -u http://10.10.166.70/hidden/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt against /hidden shows another hidden directory called /whatever.
Browsing to /hidden/whatever shows the webpage above.
The source-code of this page contains the base64 string shown above.
Decoding this outputs the first flag. Performing a directory search against /hidden/whatever did not lead to anything useful. Time to enumerate the other ports.
Port 65524: HTTP
Browsing to this application displays the default Apache webpage as shown above.
However, the source-code contains hidden strings as shown above. The string ba....:ObsJmP173N2X6dOrAgEAL0Vu provides me hint that the encoding is completed using some base.
However, I obtained the string /n0th1ng3ls3m4tt3r after decoding the string ObsJmP173N2X6dOrAgEAL0Vu from base62. This looks like a directory. Before browsing to this directory, I wish to enumerate further. The flag3 flag{9fdafbd64c47471a8f54cd3fc64cd312} is also shown above.
Running a directory search with the command gobuster dir -u http://10.10.166.70:65524/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt shows the interesting directories above for this application. The /robots.txt sounds juicy.
Browsing to /robots.txt shows the content above. The User-Agent header field contains an MD5 string! I tried the command curl --user-agent 'a18672860d0510e5ab6699730763b250' http://10.10.166.70:65524/robots.txt but I did not obtain any other hidden directories. However, decrypting this MD5 string outputs the string flag{1m_s3c0nd_fl4g}.
After enumerating for some time and finding nothing, I browsed to /n0th1ng3ls3m4tt3r. The webpage above is shown for this directory. The string 940d71e8655ac41efb5f8ab850668505b86dd64186a66e57d1483e7f5fe6fd81 is interesting.
Using the website md5hashing, I obtained the result of the hash above. This hash decodes to the string mypasswordforthatjob. Is this a password that can be used to extract data from an image, possibly the binary data image?
And bingo! I downloaded the binary image located at /n0th1ng3ls3m4tt3r and used the password mypasswordforthatjob to extract the hidden data secrettext.txt. The content of this file is shown above. The username is boring, but the password is in binary (aka, base2). I can decode this using Cyberchef.
And using Cyberchef, I obtained the password iconvertedmypasswordtobinary. Now I have the credential boring:iconvertedmypasswordtobinary.
And using the credential boring:iconvertedmypasswordtobinary, I gained access to the SSH application on port 6498 on the target machine. Now I have access to the target machine!
The interesting cronjob .mysecretcronjob.sh is run as root, as shown above.
The content of this .mysecretcronjob.sh is shown above. Since this user boring has write privileges over this script, I can put my reverse shell inside it.
GG. I put my bash reverse shell inside the cronjob. I listened on port 8443 and received a reverse shell connection with the session as root. Now I have root access on the target machine.
The user.txt is shown above. But the content of this flag is rotated.
The ciphertext is encoded using Caesar Cipher. Using the key of 20, I obtained the plaintext flag flag{n0wits33msn0rm4l}.
The .root.txt flag which is located at /root.